How it was: an operator's perspective 


19 April 2006 

Anatoly Dyatlov, the former deputy engineer for operations at Chernobyl, and the senior officer 
on the night of the accident, gives his side of the story. He thinks the reactor operators have been 
unfairly singled out for blame (having himself served four years in prison) and believes the 
accident was attributable entirely to design faults. [Article published in NEI November 19911 


Chernobyl 4 had been due to shut down for scheduled maintenance on 26 April 1986. By noon 
on the day before, reactor power had been reduced to 50% and one of the two turbine generators 
stopped. Further reduction in reactor power was however forbidden by the grid dispatcher due to 
a delay in the start-up of another power plant on the grid. Resumption of the unit 4 shutdown was 
finally permitted by the dispatcher at 23:00 hours on 25 April. 

REACTIVITY MARGIN 

In accordance with normal shutdown procedures, a routine programme of tests was being carried 
out. The only noteworthy point on this particular occasion was that, as a result of the reactor 
being poisoned by xenon, the operational reactivity margin (ORM) had to be reduced to a low 
level. The unit computer recorded a minimum of 13.2 rods. However, at the same time the 
computer registered that the reactivity compensated by the automatic controller (AC) rods had 
not been accounted for. There were 12 such rods partly inserted into the reactor core. Therefore a 
minimum ORM of 15 rods was assured. 

A reactivity margin of 28-32 rods was normally maintained in a stationary poisoned RBMK 
reactor at power, through the replacement of burnt up fuel bundles by fresh ones. The regulations 
contained the following restrictions: if ORM went below 26 rods, it was necessary to obtain the 
authorization of the chief engineer for further operation, and if ORM went below 15 rods, the 
reactor had to be shut down. These restrictions, which were added to the regulations after an 
accident at Leningrad unit 1 in 1975, were designed to enable the operator to control the power 
density distribution in the core. That, at least, is how the rationale for the restrictions was 
interpreted at the Chernobyl power station as well as at other plants equipped with RBMK 
reactors. There was no mention in the RBMK documentation that at low values of ORM the 
emergency protection system became, owing to faulty control rod design, the exact opposite of a 
protection system, ie a device that drove the reactor out of control. 

Were the staff of the Kurchatov Institute and of the Research and Development Institute for 
Power Engineering (the RBMK design organization) aware of this? Apparently yes - and there 
are documents to prove it. But I feel they did not have a clear notion. Otherwise their inertness 
right up to the time of the accident looks strange, to say the least. 




I am focusing here on the operational reactivity margin because it is now generally recognized 
that the reactor excursion on 26 April was initiated by the actuation of the reactor emergency 
protection system, which under the conditions of reduced operational reactivity margin did not 
work properly. This was due to miscalculation in the control rod design. 

After passing the xenon poisoning maximum the reactivity margin began to increase and at 
23:10, with the reactor at 50% power, it constituted 26 rods. The operator started to reduce 
power and by 24:00, when there was no change of shift, the unit parameters were: reactor power, 
760MWt; ORM, 24 rods; turbine generator No 8 under load (the plant’s other turbine generator, 
No 7, having been shut down); all other parameters normal. 

TG RUNDOWN PROGRAMME 

What remained to be done was to remove electrical load from turbine generator No 8, measure 
idling vibrations and perform tests according to a separate programme, let us call it the “TG 
rundown programme.” What was this programme and what was its purpose? 

Chernobyl 4 had an emergency core cooling system (ECCS) consisting of three “fast”-acting 
subsystems and three slower-acting subsystems. In the case of the maximum design basis 
accident (MDBA), involving the rupture of large diameter pipe and disconnection of the plant 
from the grid, the circulation of coolant is disrupted. To cool the core, the “fast”-acting 
subsystems of the ECCS are brought into play: two of them feed water into the core using energy 
derived from compressed gas in cylinders and the third uses feed pumps powered by the 
rotational inertia of a running down turbine generator. The feedwater pumps are intended to 
operate for a length of time which is sufficient to allow start up of the emergency diesels and the 
three slower-acting ECCS subsystems. Tests performed earlier had given unsatisfactory results 
and work was needed to put the finishing touches to a “rundown-unit” for the generator 
excitation system. 

After the disaster it was widely argued that the accident occurred because of the poor quality of 
the preparation and implementation of the turbine generator rundown test programme. It was 
pointed out that safety measures were not specified. Indeed, this section of the programme did 
look blank. But all necessary safety measures had been performed, and were specified in the 
programme as preparatory work, because they had been carried out in advance. 

The disconnection of the emergency core cooling system, as specified by the programme, has 
come in for particular criticism. In fact, this step was introduced into the programme in full 
accordance with the safety documents of the time, which authorized the chief engineer to 
disconnect the ECCS temporarily. Prof Adolf Birkhofer of the German GRS, speaking at the 
international congress in commemoration of Academician Andrei Sakharov in May 1991, said: 
“It is absolutely clear that such instructions could readily lead to errors with serious 
consequences and exactly that had occurred on the night before the accident.” 

One cannot but agree with the first part of this assertion, and be in favour of unconditional 
prohibition of even temporary disconnection of the ECCS - however small the probability of 
occurrence of the MDBA might be in the period when the ECCS is disconnected. At the same 



time, however, the second part of Prof Birkhofer’s assertion is ungrounded. The disconnection of 
the ECCS had no influence whatsoever on the occurrence and development of the accident. Nor 
could the system, regardless of assertions made by Soviet delegations to the IAEA, have had any 
influence on the scale of the disaster. It was not designed for such an accident and it was 
destroyed by the explosion. There was anyway nothing for it to cool: the fuel channels had been 
destroyed, the fuel had been turned to ash and there was effectively no reactor left. 

The carrying out of the test called for in the “TG rundown programme” also had no influence on 
the occurrence of the accident. The experiment required no special operating conditions at the 
plant. Four main circulating pumps (MCP) in each of the plant’s two loops were to be operated 
instead of the usual three per loop. But such operating conditions occurred frequently during 
pump tests, after repairs for example, and were included in the operational instructions. 

Neither can the accident be attributed to lack of rigour in the operational instructions. There are 
no technical reasons prohibiting the operation of four main circulating pumps in each loop. The 
maximum coolant flow through the fuel channels is restricted only by vibration of the fuel 
assemblies. But on this occasion conditions were far from this. The Soviet delegation which 
provided information on the accident to the IAEA were however correct when they indicated in 
their table of operating rule violations committed by the station staff (presented at the August 
1986 post-accident meeting) that the flow rate of two or three pumps out of eight was excessive. 
These pumps could have been torn apart because of insufficient delivery head. 

And those who assert that owing to high coolant flow rate the coolant temperature at the core 
inlet came close to the saturation point - from which it is concluded that the loop was 
thermohydraulically unstable - are incorrect. This incorrect assumption roams from one 
document to another. It is valid only for the main coolant pump inlets, not for the core inlet. 

There was also nothing remarkable about powering four of the main circulating pumps from the 
grid and the other four from a running down turbine generator. It was not the pumps but the head 
throttling valves (HTV) that were connected in parallel. The head v flow rate curve of the HTV 
at a low reactor power, when the head drop occurs mainly at the HTV, is not arched, but falls 
steeply - rendering the parallel operation mode stable. Furthermore, each pump has its own 
emergency protection system which shuts it off when the flow lessens. Therefore there could be 
no closures of non-return valves at the delivery head of pumps. However on 26 April things had 
not progressed that far. The monitoring system registered normal operation of all pumps at flow 
rates not less than 5000m 3 /h until the very moment when the reactor exploded. The rest of the 
plant was within normal limits. The emergency protection system signals will be referred to 
below, but they were not per se the cause of the disaster on 26 April. This is why one cannot 
agree with the second part of Professor Birkhofer’s assertion. 

As already mentioned, the night shift accepted the reactor at a power of 760MWt. At this stage 
the plan called for the removal of electrical load from the generator while leaving the reactor 
power the same. From a technical point of view it is not very good to have high reactor power 
and unloaded turbine but plant staff have got to accept the situation. However, apparently 
following a disagreement between the unit shift foreman and the plant foreman, a reduction in 
reactor power was initiated. At 00:28 during the transition from local to global power control a 



drop of power from 520MWt down to 30-40MWt occurred. According to the operator’s entry in 
the log (there are no reasons not to believe it) he lowered the setpoint of the power controller, 
balanced the controller and turned on automatic control mode. Then he began to raise the power. 

LOW POWER OPERATION 


At this point it should be mentioned that there was no violation of any instructions when the staff 
began to reduce the power. Before the accident there were no restrictions on reactor operation at 
any power level. The regulations directly specify that operation at a minimum controlled power 
level is not limited to any particular duration. The reason why the reactor became dangerous at 
low power level can be readily understood from Figure 1. At low power level a given power 
increment results in an increase in steam volume in the coolant which is many times more than at 
nominal full power (N nom ). The resulting fast power coefficient of reactivity, to which the 
negative Doppler effect of fuel and the positive steam void effect contributed, turned out to be 
positive. Its specific value has been reported neither by the scientists (the Kurchatov) nor by the 
designers (RDIPE), although it is hard to believe that they have not calculated it after the 
accident. It is difficult to say whether those who created the reactor were aware of this 
phenomenon, which is a direct consequence of the thermal hydraulic configuration adopted. 

What is absolutely clear, however, is that this phenomenon was not accounted for in practice. 



Figure 1. Mass (1) and volume (2) steam void coefficient of coolant v reactor power for 
Chernobyl 4. At low power a given power increment results in much greater voiding than when 
the plant is at nominal full power (N nom ) 

The nuclear safety department of the power plant worked under the guidance of the above 
mentioned organizations and measured the fast power coefficient at power levels close to 
nominal full power, ie in the region where it was negative. The results were used by the 
operators in their everyday work. The latest data prior to the accident gave a value of minus 
1.7X10' 4 fi/MW. 

Paragraph 2.2.2. of the General Safety Provisions (OPB-82) states: “As a rule the fast power 
coefficient of reactivity should not be positive in any operational conditions of the nuclear power 
plant and under any conditions of the heat removal systems of the primary loop.” The RBMK 


Chief Designer, N A Dollezhal, says the following about the negative influence of large positive 
values of steam void coefficient of reactivity on the stability of the reactor: . .during operation 
with U enriched to 2% this influence is regulated by the insertion of special absorbers into the 
channels, as strictly specified in the operating instructions. Violations are intolerable because 
they make the reactor uncontrollable.” The RBMK reactor in 1986 was exactly such: enrichment 
2%, no special absorbers in the core. But there were no relevant provisions in the operational 
instructions and nor were such operational provisions ever likely to appear since there were no 
references to the phenomenon in the standard reactor design documentation. And in general the 
reactor core was managed on the basis of calculations made by the lead design organization 
(RDIPE) using data obtained from the nuclear power plant itself. In other words, there were the 
instructions found in the operating documents on the one hand and the statement of the reactor 
designer on the other about procedures to make the reactor safe. But in reality the two were not 
properly connected and everything was done the wrong way round. 

Returning to the Chernobyl case. The reactor power drop at 00:28 was nothing remarkable, it 
was not a rare event at all. The real essence of the matter is quite different. Did the staff violate 
the operational instructions when they increased reactor power after this drop? What should the 
staff have been guided by? Presumably by instrument readings and rules. According to the log 
entry, the operator raised the power using the setpoint controller and switched the power 
controller to the automatic mode. But under the regulations that was a partial power reduction. 
The only obstacle to raising power could be the drop of ORM to a value less than 15 rods. What 
that value really was, taking account of presently known information, one can only say after 
making calculations. It was impossible to measure that value at the power level which existed 
than at Chernobyl 4. From our knowledge of the reactor before the accident, the ORM could not 
have been less than 15 rods and therefore there was nothing to bar raising of the reactor power. 

Recent studies of the accident, for example that of the Steinberg Commission among others, have 
referred to the neutron and thermal power of the reactor. These references are irrelevant because 
the Chernobyl 4 unit was not provided with the means for the direct measurement of thermal 
power. Ionization chambers and silver probe activation techniques measure only the neutron 
power. Thermal power is nevertheless mentioned here to distinguish it from electric power and 
because the system for physically monitoring the power density distribution was calibrated using 
thermal parameters. 

After the power drop the reactor power was limited to 200MWt because that was enough for 
performing the required test programme. The job should have been completed in 30 minutes. The 
table of operating rule violations by power plant staff presented by Soviet experts to the IAEA in 
August 1986 includes reference to blocking the two-turbine-generator trip signal (ie the signal 
that shuts the reactor down when the second of the two turbines is tripped) and closing the 
emergency stop valve. In reality these violations did not exist. As a result of the low reactor 
power, pressure in the coolant loop started to fall. To stabilize the situation one could have cut 
off steam to the turbine, but then the two-turbine-generator emergency trip would have actuated. 
The shift foreman therefore turned this trip off. According to the regulations it could be turned 
off at a power level less than lOOMWe. For the same reason the setpoint of the turbine 
emergency trip system was changed from 55 to 50 kg/cm 2 . The operator also had the right to do 
that. The emergency system protecting the reactor against high pressure in the loop was always 



turned on. Therefore the operator’s actions were logical, well grounded technically and in 
compliance with the requirements of the documentation then in force. The assertion contained in 
the table of alleged operating rule violations to the effect that the reactor emergency protection 
systems sensing thermal parameters had been completely turned off is a fiction. There is no need 
to enumerate, but the functioning of protection systems was appropriate to the operating 
conditions that the unit was in at the time, with the exception of protection against water level 
drop in the steam drums; this level was minus 1100mm instead of the minus 600mm level that 
would be normal for such a power level. Against the background of this information, the 
“international community” (the tenn used by one of the Soviet delegation to the IAEA post¬ 
accident meeting, Armen Abagyan) would surely have had difficulty understanding the purpose 
of discrediting the operating staff and how it became possible. 

At 01:03 and 01:07 on 26 April main circulating pumps 7 and 8 were turned on. Measurements 
of turbogenerator vibration were performed and the preparatory work for carrying out tests 
according to the “TG rundown programme” was completed. The participating staff had been 
briefed and everybody went to their working stations. At that time the reactor power was 
200MWt, all parameters were normal and stable, there were no emergency or warning signals, 
the turbine generator was powering four out of eight main circulating pumps and the feedwater 
pumps, while all other systems were on the reserve power supply. 

The numerous judges of the operating staff have pointed out that in order to fulfil the job 
assigned to them the staff violated the regulations and operational instructions. But it is clear that 
the staff had in fact committed no violations and there were no reasons not to go through with the 
assigned task - bearing in mind that one must of course look at what happened against the 
background of the documentation which was in effect at that time and the level of knowledge 
about the reactor which was available to operating personnel from documents and literature. 

CONTROL ROD FAULT 

And yet the seeds of destruction had already been sown. For if, for any reason, a decision had 
been taken not to go ahead with the final test and the button had been pushed to trip the reactor 
or if the emergency protection system had been actuated by any signal, the explosion would have 
happened anyway. 

With the benefit of hindsight it can be seen that there had been many cases where RBMK 
reactors were in a similar condition and on the brink of explosion. It turns out that the RBMK 
reactor, just like all nuclear reactors, was nuclear-unsafe at large values of ORM, but, unlike 
other reactors, it was even more dangerous at low values of ORM. What a paradox! The creators 
of the reactor were rather reticent about this characteristic. If they had revealed it, of course, 
operators would have been rather difficult to find. 

Figure 2 shows schematically the design of control rods as used in the reactor control and 
protection system. To eliminate parasitic absorption of neutrons by the water column in a control 
and protection system channel when the absorbing control rod is raised, a 4.5m long graphite 
displacer was suspended from it. Therefore when the control rod is in contact with the upper 
limit switch, the displacer is positioned in the middle of the core and there are water columns 



1.25m high in the upper and lower parts of the core. During the downward insertion of a rod into 
the upper part of the core the absorber introduces negative reactivity and the displacer, displacing 
water, introduces positive reactivity into the lower part. If the maximum neutron flux is shifted to 
the lower part of the core, then during the first 3 seconds of rod movement (rod insertion speed = 
0.4 m/s) the shutdown system introduces net positive reactivity. At low values of ORM most of 
the control rods are out of the core and the actuation of the emergency protection system by trip 
signal or by pushing the trip button sends all the rods into the core. 


(a) (b) (c) 
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Figure 2. The control rod arrangement at Chernobyl. The initial effect of rod insertion is to 
introduce positive reactivity into the bottom of the core. Key: 1 - absorber; 2 - graphite displacer; 
3 - water; a - rod out of the core; b - beginning of insertion; c - sign of reactivity introduced 

But owing to the core’s large height its lower and upper parts behave, especially when the central 
area of the core is heavily poisoned, rather like two independent reactors. The effect of the rods 
inserting is to create in the lower part of the core a local critical mass, and the neutron 
distribution tends to shift downwards irrespective of where it was before the protection system 
trip. The power in the lower part of the core begins to increase and then the positive fast power 
coefficient of reactivity comes into play. The fatal loop gets closed. Paragraph 3.3.28 of the 
Soviet Nuclear Safety Rules states: “The quantity, positioning and actuation speed of 
components of the emergency protection system must be specified and validated in the reactor 
design, where it should be shown that in any emergency conditions and in the event of non¬ 
actuation of the single most effective element, the actuating components of the emergency 
protection system provide: a rate of emergency reduction in reactor power sufficient to prevent 
potential damage to fuel exceeding tolerable limits: and prevention of the formation of local 
critical masses.” In the Chernobyl case, the safety rods were themselves creating a critical mass 
in the lower part of the core. 

Here is what Mr Yemelyanov, deputy director of RDIPE, who directed the development of the 
RBMK Control and Protection System writes: “The elements for changing reactivity must be 






designed in such a way that a change in its direction of movement does not alter the sign of the 
reactivity increment.” 

It is just as in the case of the steam void coefficient. On the one hand we have a document setting 
out the rules, while on the other hand there is the opinion of an expert as to what is required in 
the design of a control and protection system and ... once again ... things seem to have been 
done the wrong way round. 

The Chernobyl operating staff made a mistake on 26 April in having over-looked the reduction 
of the ORM below the level of 15 rods stipulated in the regulations. Although the staff were not 
aware of the significance of the ORM in terms of its capability to transform the emergency 
protection system into a reactor excursion device, they were not exactly treating this parameter 
lightly. Controlling power density distribution is always a serious business. A violation here can 
lead to a major accident. 

LACK OF INSTRUMENTATION 

The reduction in ORM was overlooked owing to the lack of suitable instrumentation to indicate 
its value. The device available to the Chernobyl 4 operators at the time required about five 
minutes to do a single measurement and was completely useless when reactor parameters were 
not constant. While it was suitable for controlling the power density distribution when used in 
combination with the system for physically monitoring power distribution, it was completely 
inappropriate for the task that had just presented itself to the Chernobyl operators. 

One should add that they were also getting false information about the power coefficient of 
reactivity. In the event of a power reduction with a negative value of the coefficient the ORM 
should have increased, but in reality the value of the coefficient was positive, and the operator 
had no way of knowing that. 

To control the reactor using a system based on side ionization chambers the operator has to 
perform up to 1000 manipulations per hour and monitor about 4000 parameters simultaneously. 
In these circumstances it is somewhat cynical to accuse him of overlooking something. 

The departure of ORM from normal values (by the way, 15 rods by no means guaranteed safety 
and it is not entirely certain that at the time of pushing the AZ-5 button the ORM was less than 
15) could lead to a global-scale disaster. If that was so, then why did the designers of the reactor 
not fulfil the following requirements of the rules: 

Paragraph 3.1.8 of the Nuclear Safety Rules, which says that, “The alarm system of the reactor 
must produce the following indications: signals (light and sound) when reactor parameters reach 
the setpoints of the emergency protection system and when reactor conditions deviate from 
normal; warning signals (light and sound) in the event of parameters approaching the setpoints of 
the emergency protection system...” 

Paragraph 3.3.2 of the Nuclear Safety Rules, which says that, “The Control and Protection 
System must be provided with a fast acting emergency protection system securing automatic 



reactor trip in case of an emergency. Signals and setpoints of the emergency protection system 
must be validated in the design.” 


Paragraph 2.7.1 of the General Safety Provisions, which stipulates that, “Protection systems 
must perform their functions to secure safety in case of any envisaged initiating events and in 
case of failures independent from the initiating event.. 

A mistake by operating staff is an initiating event. Discussion about separating the functions of 
man and machine is clearly irrelevant here. One can talk about this when an operating error or a 
deviation of a parameter merely leads to unit shutdown without any damage, but no in the 
present case. 

FINAL EVENT SEQUENCE 


I feel like setting forth the final sequence of events in the first person. It had been agreed at the 
briefing held directly before the start of the experiment planned under the “TG rundown 
programme” that upon the command “start oscilloscope”: the oscillograph would be triggered to 
record the electrical parameters; a special additional push button designated “MPA” would be 
pushed to turn on the rundown-unit of the generator excitation system; steam feed to the turbine 
would be stopped; and the reactor would be tripped using the AZ-5 button, which is used both in 
emergency and normal conditions. 

At 01:23:04 the monitoring system had registered the closure of the turbine stop valves. 

Rundown began. Everything was normal. The decrease in generator speed was accompanied by 
reduction in the rotational speed of the four running down main circulating pumps and the flow 
rate through them. The flow rate of the four main circulating pumps powered from the reserve 
grid supply had somewhat increased. The total flow rate of coolant had decreased by the time of 
the explosion down to 48-50,000m 3 /h. The automatic controller was holding reactor power stably 
while compensating positive reactivity introduced by the flow rate decrease. 

It was quiet in the control room, no conversation. When someone did speak, I turned back and 
saw the reactor operating saying something to the shift foreman. I was about ten metres away 
from them and could not quite make out exactly what the operator said. The shift foreman 
ordered him to trip the reactor indicating with a finger: “push the button.” The foreman himself 
turned back to the panel he was watching. Their behaviour showed no signs of particular 
concern. I noted to myself that for some unknown reason the shift foreman had not given the 
order to trip the reactor immediately. But that did not matter at all. The reactor would have 
exploded 36 seconds earlier, no more than that. 

I also turned to watch the instruments. The monitoring system had registered the pushing of the 
AZ-5 button at 01:23:40 but was not showing any warning signals at this time. These signals 
only started to arrive a few seconds later. At 01:23:43 the emergency signals warning of high 
reactor power and reduced power rise doubling period were registered. The main circulating 
pumps kept up a flow of coolant right up to 01:23:46, when due to a sharp power rise the flow 
rate through the running down main circulating pumps (loop 1) and then that through the other 
pumps dropped. The pressure in loop 1 went up. At 01:23:46 or 01:23:47 a large explosion was 



heard and, one or two seconds later, there was another one, which in my perception was even 
bigger. And then the silence fell. 

The sequence of events seemed to be as follows: 

• After pushing the AZ-5 button the emergency protection system added, according to 
calculations, about a fi of positive reactivity and created a local critical mass in the lower part of 
the core - resulting in a sharp increase of power there (see Figure 3) and the coming into play of 
the positive power coefficient of reactivity. The power in the lower part of the core rose to the 
level at which the fuel exploded and got dispersed. 
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Figure 3. Change in height distribution of core power density after pushing the AZ-5 button. 

1,2,3 denote the distribution after three successive time intervals 

• The pressure rise in the coolant, loop and the contact of coolant with fuel resulted in the rupture 
of the fuel channel pipework in the lower part of the reactor. The core remain without water and 
the steam void effect made possible a power excursion in the remaining part of the reactor, 
which resulted in a second explosion. I cannot tell what role the reaction between steam and 
zirconium played, if any. 

I would like to quote here Paragraph 3.8.26 of the Nuclear Safety Rules: “The emergency 
protection system of the reactor must be capable of stopping the chain reaction quickly and 
securely in an automatic mode in the following cases: when the emergency high power setpoint 
is reached; when the emergency power rise rate setpoint is reached; when the reactor trip buttons 
are pressed.” 

The way in which the Chernobyl reactor protection system fulfilled this requirement is now well 
known. 


REAPPORTIONING BLAME 

The official Soviet version of the reasons for the Chernobyl disaster, the information given by 
Soviet experts to the IAEA and practically all other early assessments of the accident 


apportioned most of the blame to the operating staff - although they could not avoid pointing to 
some “drawbacks” and “peculiarities” of the reactor itself. 

But recently there has been an increasing tendency to recognise the “drawbacks” and 
“peculiarities” of the RBMK design as unacceptable. These are now seen as a root cause of the 
accident. However the burden of the official charges against the operating personnel seems to 
exert a powerful influence on people’s thinking and they are unable to abandon completely their 
initial perceptions. Commissions which investigated the accident or members of the International 
Nuclear Safety Advisory Group, who were inexplicably persuaded as to the guilt of the 
operators, are nevertheless not included here. True, the official Soviet spokesmen resorted to 
direct lies and omission of the known facts. But even so... 

In conclusion: 

• Whether there were operating blunders or not, it is clear to everyone that reactors capable of 
causing such violent explosions must never be allowed to go into operation. However good or 
bad the operators, there were and there will be blunders. But the possibility of errors leading to 
such serious consequences must be ruled out by the design features of the reactor and plant 
equipment. 

• The Soviet regulations set out essential requirements for the design of safe reactors (as well as 
other equipment). They do not include any redundancy, so all the requirements must be fulfilled. 
The Soviet Nuclear Safety Rules and General Safety Provisions contain exact formulations in 
this respect. But there are several paragraphs that the Chernobyl RBMK did not comply with and 
some examples are quoted above. The reactor had an intolerably high positive value of steam 
void coefficient of reactivity which led to a positive power coefficient and to a reactivity 
excursion of several B. The design suffered from dynamic instability and it was for this reason 
that the reactor exploded in the case of what amounted to a simulated maximum design basis 
accident (failure of main circulating pumps). Because of this fact alone the reactor should never 
have been accepted for operation. 

The emergency protection system of the reactor was beneath contempt. One could perhaps 
sympathize with a designer if a protection system failed to cope with a large and/or rapid 
reactivity rise in an accident situation, but it is impossible to understand a protection system 
which itself drives the reactor into a power excursion. Again, this feature alone should have 
precluded the reactor from ever entering operation. 

• At 01:23 and earlier the reactor was in a bomb-like state. An explosion might have been 
triggered by a trip signal actuating the emergency protection system or (as was eventually the 
case) by manual pushing of the scram button. And in the meantime the monitoring system issued 
not a single alarm signal and the operating staff did not realize the danger they were in. But not 
because they were blind. It might well be asked to what criteria had the monitoring systems been 
designed. 



• The inaccurate information tolerated by the staff in perfonning their functions on 26 April 
could, had it been a reactor design which fulfilled the requirements of the regulations, led in the 
worst case to an unplanned trip of the reactor without any damage whatsoever. 

• The time has come to say openly: the design of the RBMK-1000 was not a contributor, not a 
major factor, but the sole reason for the Chernobyl accident. 






